TaoSecurity Blog

After seeing Dan Kaminsky's talk at Black Hat DC last month, I blogged about the benefits of DNS' ability to scale to address big problems like asset management records . I've avoid talking about Conficker (except for yesterday ) since it's all over the media. Why mention DNS and Conficker in the same post? All of the commotion about Conficker involves one variant's activation of a new domain generation algorithm on 1 April. Until today no one had publicly announced the reverse engineering of the algorithm, but right now you can download a list of 50,014 domains that one Conficker variant will select from when trying to phone home starting 1 April. Some of the domains appear to be pre-empted: $ whois aadqnggvc.com.ua % This is the Ukrainian Whois query server #B. % Rights restricted by copyright. % % % .UA whois % Domain Record: % ============= domain: aadqnggvc.com.ua admin-c: CCTLD-UANIC tech-c: CCTLD-UANIC status: FROZEN-OK-UNTIL 200907010000...

A blog reader posted the following comment to my post Network Security Monitoring Lives : How do you use NSM to monitor the growing population of remote, intermittently connect mobile computing devices? What happens when those same computers access corporate resource hosted by a 3rd party such as corporate SaaS applications or storage in the cloud? This is a great question. The good news is we are already facing this problem today. The answer to the question can be found in a few old principles I will describe below. Something is better than nothing. I've written about this elsewhere: computer professionals tend to think in binary terms, i.e., all or nothing. A large number of people I encounter think 'if I can't get it all, I don't want anything." That thinking flies in the face of reality. There are no absolutes in digital security, or analog security for that matter. I already own multiple assets that do not strictly reside on any single network that I ...

I just watched the 60 Minutes story The Internet Is Infected . I have mixed feelings about this story, but I think you can still encourage others to watch and/or read it. Overall I think the effect will be positive, because it often takes a story from a major and fairly respected news source to grab the attention of those who do not operationally defend networks. I'd like to outline the negative and positive aspects of the story, in my humble point of view. The negative aspects are as follows: I detest the term "infected." Computers in 2009 are not "infected." They are compromised by malware operated by a human with an objective. The malware is a tool; it is not the end goal. In the late 1990s I enjoyed defending networks because the activity I monitored was caused by a human, live on the Internet, whose very keystrokes I could watch. At the beginning of this decade I despaired as human action was drowned in a sea of malware that basically propagated but...

Every once in a while I will post examples of why Network Security Monitoring works in a world where Webbed, Virtual, Fluffy Clouds abound and people who pay attention to network traffic are considered stupid network security geeks . One of the best posts I've seen on the worm-of-the-week, Conficker, is Risk, Group Think and the Conficker Worm by the Verizon Security Blog. The post says: With the exception of new customers who have engaged our Incident Response team specifically in response to a Conficker infection, Verizon Business customers have reported only isolated or anecdotal Conficker infections with little or no broad impact on operations. A very large proportion of systems we have studied, which were infected with Conficker in enterprises, were “unknown or unmanaged” devices. Infected systems were not part of those enterprise’s configuration, maintenance, or patch processes. In one study a large proportion of infected machines were simply discarded because a current...

Last year I wrote Run Apps on Cisco ISR Routers . That was two weeks after our April Fool's joke that the Sguil Project Was Acquired by Cisco . I am wondering if any TaoSecurity Blog readers are using Cisco AXP in production? Looking at the data sheet for the modules, they appear too underpowered for NSM applications, especially at the price point Cisco is advertising. Richard Bejtlich is teaching new classes in Europe and Las Vegas in 2009. Online Europe registration ends by 1 Apr, and seats are filling. Early Las Vegas registration ends 1 May.

In response to my TaoSecurity Blog post titled Buck Surdu and Greg Conti Ask "Is It Time for a Cyberwarfare Branch?" , I decided to create the Association of Former Information Warriors. I set up a LinkedIn Group with the following description: The Association of Former Information Warriors is a professional networking group for those who once served as military members in information operations (IO) or warfare (IW) units. The mission of the AOFIW is to propose, promote, and debate policies and strategies to preserve, protect, and defend digital national security interests. Candidate members must be referred by current members. Those no longer in military service are candidates for full membership; those currently serving in uniform are candidates for associate membership. In other words, to join AOFIW you need to know an existing member. This weekend I am going to try kickstarting the membership process by inviting those I personally know and trust to meet these criteria...

Last year I attended The Best Single Day Class Ever , taught by Prof. Tufte. He changed my outlook on PowerPoint for ever. Today in FCW magazine I found a pointer to 8 PowerPoint Train Wrecks , like the slide Bill Gates is presenting at left. While following some of the linked presentations, I came across this line from the shmula blog : While at Amazon, we were all told by Divine Fiat that ALL presentations — regardless of kind, cannot ever be on Powerpoint. Period. Bezos prefers prose and actual thoughts slapped in a report — an actual paper report with paragraphs, charts, sentences, an executive summary, introduction of problem, research approach and findings (body of paper), conclusions and recommendations — not choppy, half-thoughts on a gazillion slides. Thank goodness. I am not crazy after all. That same blog post makes other good points, and links to an imagined Barack Obama "Yes We Can" PowerPoint deck . Hilarious. Richard Bejtlich is teaching new classes in ...

Ties between the US government and digital security are all over the news right now. We have the Director of National Intelligence supporting greater NSA involvement in defending cyberspace , which prompts the (now former) Director of the National Cyber Security Center (NCSC) to resign in protest. We have the chief security officer of Oracle calling for a Monroe Doctrine for cyberspace while the former director of the National Cyber Security Division says (paraphrasing his speech) security resources are often misaligned and misallocated because organizations are driven to present number-driven metrics based on some combination of threats, vulnerabilities and asset value to management — and that doesn't work. There is talk of creating a Cyberspace Combatant Command , to stand alongside other Unified Combatant Commands . (Thanks to Greg Conti for the link.) I think a Cyber COCOM would be a great step forward, since Combatant Commands, not the individual services, are the ent...

If you've been watching the digital security scene for a while, you'll notice trends. Certain classes of attack rise and fall. Perceptions of risks from insiders vs outsiders change. I think it is important to realize, however, that globally, security vulnerabilities and exposures are persistent. By that I mean that if we forget or neglect problems from the past (or even present) and focus only the future, we will lost. For example, the three big themes you'll see in many IT and security discussions are the following. Web apps Virtualization Cloud If you're not dealing with those three areas, you're a dinosaur, man! Forget all that other stuff you've learned! The problem with that attitude is that it sees the world through a tunnel of shiny newness. Consider the following list of recent security issues and see how many of them deal with those three hot topics. CPU-level attacks (e.g., Attacking Intel® Trusted Execution Technology ) MPLS attacks (e.g., All Y...

Gary McGraw was kind enough to share a draft of his new Building Security In Maturity Model . I'm not a "software security" guy but I found that the Governance and Intelligence components of the Software Security Framework apply almost exactly to anyone trying to build a detection and response, or "security operations", center. Consider: Governance Strategy and Metrics Compliance and Policy Training Intelligence Attack Models Security Features and Design Standards and Requirements I think the whole document is just what the software security world needs, but the two sections should apply equally well, and almost without any modification, to someone trying to build a detection and response operation or at least trying to assess the maturity of their operation. Richard Bejtlich is teaching new classes in Europe and Las Vegas in 2009. Online Europe registration ends by 1 Apr, and seats are filling. "Super Early" Las Vegas registration ends 15 Mar...

I think the next generation of IT and digital security professionals will find limited opportunities in the "traditional" non-IT/security companies of today. I wrote about this last year in Reactions to Latest Schneier Thoughts on Security Industry when I said this, specifically about the security field: What does this mean for security professionals? I think it means we will end up working for more service providers (like Bruce with Counterpane at BT) and fewer "normal" companies. Bruce wrote "the security industry will disappear as a consumer category, and will instead market to the IT industry," which means we security people will tend to either work for those who provide IT goods and services or we will work for small specialized companies that cater to the IT goods and services providers... [S]ecurity companies will end up part of Cisco, Microsoft, Google, IBM, or a telecom. I doubt we will have large "security vendors" in the future. I...

Last year I posted Defensible Network Architecture 2.0 , consisting of 8 (originally 7, plus 1 great idea from a comment) characteristics of an enterprise that give it the best chance to resist an intrusion. In this post I'd like to define some specifics for the first of the 8 characteristics: monitored . At some point in the future it would probably make sense to think of these characteristics in terms of a capability maturity model. Right now I'd like to capture some thoughts for use in later work. I will approach the requirements from a moderate point of view, meaning I will try to stay between what I would expect from a low-capability operation and a high-capability operation. Like my related posts, this is a work in progress and I appreciate feedback. A Defensible Network Architecture is an information architecture that is: Monitored. Monitored can be described using the following categories, which collectively can be considered intrusion detection operations ...

This should not be a surprise to people who use forensic tools on a daily basis, but it is a good reminder. I just noticed two great posts, Dumping Memory to extract Password Hashes Part 1 and Dumping Memory to extract Password Hashes Part 2 , on the Attack Research blog . They show how to exploit a system with Metasploit, upload the Meterpreter, upload Mantech's MDD memory dumper , dump memory, download it to an attacker's system, and then follow instructions from Forensiczone to use Moyix's volreg extensions to the Volatility Framework to extract passwords. I would be curious to see if intruders are really using methodologies like this. One way to identify such activity would be to watch for files being exfiltrated from the enterprise that match common memory sizes, such as 512 MB, 1 GB, 2 GB, 4 GB, and so on. Richard Bejtlich is teaching new classes in Europe and Las Vegas in 2009. Online Europe registration ends by 1 Apr, and seats are filling. "Super ...

Last year I outlined my Defensible Network Architecture 2.0 , consisting of 8 (originally 7, plus 1 great idea from a comment) characteristics of an enterprise that give it the best chance to resist an intrusion. I'd like to step into the post-intrusion phase to discuss Recoverable Network Architecture (RNA, goes well with DNA, right?), a set of characteristics for an enterprise that give it the best chance to recover from an intrusion. This list is much rougher than the previous DNA list, and I appreciate feedback. The idea is that without these characteristics, you are not likely to be able to resume operations following an incident. RNA does not mean your enterprise will be intruder-free, just as DNA didn't mean you would be intrusion free. Rather, if you do not operate a Recoverable Network Architecture you have very little chance of returning at least the system of interest to a trustworthy state. (Please remember the difference between trusted and trustworthy !)...

I've been blogging recently on Inputs vs Outputs, or Why Controls Are Not Sufficient . I've also been writing about Wall Street for the past year and a half. What we are seeing in the business realm is one of the biggest incident response engagements the world has ever seen. This morning on CNBC's Squawk Box, reporter Steve Liesman summarized the market's reaction to the ongoing crisis. The latest jobs report had just been released, and panelists were debating the effectiveness of the administration's announcements of various plans. Steve said: It's not what you're doing that matters; it's whether or not it works. In other words, focusing on the inputs as a measure of success is a waste of time. You have to know the score of the game. In the business world, the score of the game is measured using employment numbers, stock market prices, the London Interbank Offered Rate (LIBOR), currency valuations, and so on. My post Controls Are Not the Soluti...

Earlier this week I attended an IANS Mid-Atlantic Information Security Forum . During the conference Phil Gardner made a good point. He noted that the ongoing credit crisis has fundamentally altered the world's perception of business risk. He said the changes to financial operations are only the beginning. These changes will eventually sweep into information security as well. This reminded me of the world's reaction to 9/11. The day the attacks happened, I was working at our MSSP. Some of my customers called to ask if we were seeing unusual digital attacks against their systems. That really surprised me, but it emphasized the fact that 9/11 introduced a new era of security-mindedness. I believe that era has largely passed, but for the better part of this decade 9/11 stimulated security thinking. I watch as much CNBC as possible (during lunch and dinner) and I am hearing the term "stress cases" repeatedly. This is not the same as Treasury Secretary Geithner...

Black Hat was kind enough to invite me back to teach two sessions of my new 2-day course at Black Hat USA 2009 Training on 25-26 July and 27-28 July 2009 at Caesars Palace in Las Vegas, NV. This class, completely new for 2009, is called TCP/IP Weapons School 2.0 . These are my last scheduled classes in the United States in 2009. Registration is now open. Black Hat set five price points and deadlines for registration. Super Early ends 15 Mar Early ends 1 May Regular ends 1 Jul Late ends 22 Jul Onsite starts at the conference As you can see in the Sample Lab I posted last week, this class is all about developing an investigative mindset by hands-on analysis, using tools you can take back to your work. Furthermore, you can take the class materials back to work -- an 84 page investigation guide, a 25 page student workbook, and a 120 page teacher's guide, plus the DVD. I have been speaking with other trainers who are adopting this format after deciding they are also tired of t...

I was asked today about using Bro to record details of SSL certificates. I wanted to show an excerpt from one of my class labs as an example. In one of the labs I use Bro to generate logs for a network trace. The idea is that by looking at the server subject and server issuer fiels, you might identify odd activity. First I generate Bro logs. analyst@twsu804:~/case03$ /usr/local/bro/bin/bro -r /home/analyst/pcap/tws2_15casepcap/case03.pcap weird notice alarm tcp udp conn http http-request http-reply http-header ssl dns You can see Bro summarize the SSL connections it sees on port 443 TCP by default. analyst@twsu804:~/case03$ grep https.start ssl.log 1230953783.860406 #1 192.168.230.4/1700 > 67.199.36.111/https start 1230953792.363305 #2 192.168.230.4/1702 > 67.199.36.111/https start 1230953999.730060 #3 192.168.230.4/1712 > 63.245.209.118/https start 1230954052.303861 #4 192.168.230.4/1735 > 194.109.206.212/https start 1230954060.752904 #5 192.168.230.4/1742 > 24.92.5...